In May 2016, the National Institute of Standards and Technology (NIST) published a guideline recommending the depreciation of SMS authentication as a second factor for strong authentication.

Many news outlets and security blogs have discussed the issue since then, expressing vastly different takes on the matter. I decided to ask two IBM authentication experts, Dustin Hoff and Ashish Malhotra, for their recommendations.

IBM Experts Weigh In on SMS Authentication

Question: Let’s level set on the basics — what is an SMS one-time password (OTP)?

Malhotra: In SMS-based two-factor authentication (2FA), a user must confirm the intended login or transaction by entering an OTP sent to their mobile phone — typically, a four- to eight-digit numerical code. This authentication method was once believed to protect against man-in-the-middle (MitM) attacks until security professionals realized that text messages can be intercepted by fraudsters just as easily.

How can a SMS OTP be compromised?

Malhotra: If a mobile phone is compromised because its user unwittingly downloaded malware onto it, a fraudster can simply command the malware to monitor text messages, including those containing OTPs, on that phone. Many phones are susceptible to Trojans like Zeus, Zitmo, Citadel and Perkele, which leverage open access to SMS on mobile phones specifically to intercept OTPs.

Many of these Trojans are targeting SMS OTPs, mobile SIM swaps, SIM clones, number porting attacks, fake caller ID and call forwarding scams operated by dishonest customer service representatives at mobile carriers. All of these exploit insecure SMS networks and erode misplaced trust in the channel.

Watch the on-Demand Webinar: Five Steps to Overcome Customer Authentication Chaos

What about for users whose phones haven’t been corrupted by malware? Is SMS OTP safe then?

Malhotra: The security of SMS authentication relies on the security of cellular networks, and with the attacks against Global System for Mobile Communications (GSM) and 3G networks, the confidentiality of text messages cannot be assured. Since encryption is not applied to short message transmission by default, messages could be intercepted and snooped during transmission, even if the receiving device wasn’t infected by malware.

In addition, SMS messages are stored as plaintext by the short message service center (SMSC) before they are successfully delivered to the intended recipient. These messages could be viewed or amended by users in the SMSC who have access to the messaging system. Spying programs such as FlexiSpy enable intruders to automatically record all incoming and outgoing SMS messages and then upload the logs to a remote server for later viewing and analysis.

How are companies reacting to these threats?

Hoff: Despite these security issues, using SMS OTP as a second factor is still better than simply relying on the username/password combo. For this reason, most companies haven’t urgently migrated to other authentication methods.

However, I would expect this migration to take place over time. As smart devices become more and more ubiquitous, myriad new authentication methods will become available. From push-to-approve to biometrics, such as fingerprint scans, retina scans or even voice recognition, safer and more convenient choices will make it easy to do away with SMS OTP.

Malhotra: If we look at companies worldwide, we see that different geographies are at different stages of the authentication journey. South Africa was one of the first markets to move wholesale to SMS OTPs. Today, a large majority of banks there have dropped them in favor of safer, more convenient out-of-band authentication solutions centered on the mobile phone. European banks are fast dropping the technology, too. The technology is still very prevalent in North America, though we see that changing little by little.

Many banks, apps and other consumer-facing services use SMS OTP as a second factor. What’s a private consumer to do?

Hoff: As an end user of secure online services, you can immediately take a few steps to help protect yourself.

To start, you should ensure that you follow strong password guidelines and enable two-factor authentication on all services that support it, including Google, Apple and many others. While this sounds easy, you would be surprised to find how many people don’t take this seemingly simple step.

Next, check to see if your service provider offers alternatives to SMS authentication that you can start using today. For example, many services use a solution like the Google Authenticator that relies on open standards for secure OTPs. Other providers, such as Apple, have more recently started offering OTPs via push notification in order to bypass SMS delivery. There are also multiple vendors that sell relatively low-cost, standards-based, bring-your-own-authenticator hardware tokens, which can provide extra security for a variety of online services.

Finally, regardless of your chosen multifactor authentication method, ensure that you follow good mobile security practices.

What about enterprise use cases? What’s the right authentication strategy for employees, partners, contractors or even customers?

Hoff: As service providers and enterprises, you must also consider the NIST recommendations as part of your larger IAM and online security strategy. Changes may have a large impact to your users and could require additional investment, so it is important to take a thoughtful approach.

To start, remember that SMS-based two-factor authentication is still better than traditional usernames/passwords. Billions of SMS messages are exchanged each day, and while only a fraction of these are OTPs, the system is not going away overnight.

Looking ahead, it’s a good idea to understand the risk associated with different segments of your user population. For example, high-volume users on an online marketplace might be more valuable to your service and therefore pose a greater risk to your business if they are compromised. Once you understand the risk levels associated with different user segments, you can prioritize the implementation of newer, more secure authentication mechanisms.

The third step is to investigate innovations and new technologies for authentication and web access management solutions. While there is no silver bullet, vendors continue to add new functionality in this space to help enterprises and end users alike secure their online activity.

To learn more, watch the on-demand webinar, “Five Steps to Overcome Customer Authentication Chaos.”

More from Identity & Access

Kronos Malware Reemerges with Increased Functionality

The Evolution of Kronos Malware The Kronos malware is believed to have originated from the leaked source code of the Zeus malware, which was sold on the Russian underground in 2011. Kronos continued to evolve and a new variant of Kronos emerged in 2014 and was reportedly sold on the darknet for approximately $7,000. Kronos is typically used to download other malware and has historically been used by threat actors to deliver different types of malware to victims. After remaining…

An IBM Hacker Breaks Down High-Profile Attacks

On September 19, 2022, an 18-year-old cyberattacker known as "teapotuberhacker" (aka TeaPot) allegedly breached the Slack messages of game developer Rockstar Games. Using this access, they pilfered over 90 videos of the upcoming Grand Theft Auto VI game. They then posted those videos on the fan website Gamers got an unsanctioned sneak peek of game footage, characters, plot points and other critical details. It was a game developer's worst nightmare. In addition, the malicious actor claimed responsibility for a…

What is the Future of Password Managers?

In November 2022, LastPass had its second security breach in four months. Although company CEO Karim Toubba assured customers they had nothing to worry about, the incident didn’t inspire confidence in the world’s leading password manager application. Password managers have one vital job: keep your sensitive login credentials secret, so your accounts remain secure. When hackers compromise these software applications, the entire industry of identity and access management (IAM) takes notice. As an alliance of tech giants leads a global push…

Beware of What Is Lurking in the Shadows of Your IT

This post was written with contributions from Joseph Lozowski. Comprehensive incident preparedness requires building out and testing response plans that consider the possibility that threats will bypass all security protections. An example of a threat vector that can bypass security protections is “shadow IT” and it is one that organizations must prepare for. Shadow IT is the use of any hardware or software operating within an enterprise without the knowledge or permission of IT or Security. IBM Security X-Force responds…